Breach rule 'not consistent with congressional intent'

HHS has pleased some, infuriated others and—along the way—stepped into a congressional buzz saw with the imaginative interpretation of statutory language it wrote into an administrative rule last month to flesh out the federal data breach notification provisions of the American Recovery and Reinvestment Act of 2009.

HHS published the rule Aug. 24. It went into effect Sept. 23. HHS took its first shot in the rulemaking process on breach notification in a combined “guidance” and “request for information” it issued in April.

Before the public-comment window closed last month, the new rule garnered its fair share of support from healthcare industry organizations, including the American Hospital Association and quality-improvement and group purchasing organization Premier.

Not surprisingly, given the slant HHS put on the rule in limiting the scope of disclosure law, it also catalyzed some strident criticism, including barbs from the Coalition for Patient Privacy and the American Psychoanalytic Association.

But probably the most telling of the negative comments came in an Oct. 1 letter to HHS Secretary Kathleen Sebelius from no less than six powerful leaders in the House of Representatives, including the Energy and Commerce Committee's chairman, Rep. Henry Waxman (D-Calif.), and ranking member, Joe Barton (R-Texas).

Theirs was a beef in part over the separation of powers between the legislative and executive branches of government and in part an argument that if medical records privacy is not assured, people won’t trust health information technology and the government’s multibillion dollar investment in IT won’t reap its intended benefits. The six deemed that a provision of the HHS rule was “not consistent with congressional intent” and urged Sebelius to “revise or repeal” the offending HHS interpretation “at the soonest appropriate opportunity.”

The letter of complaint also was signed by Reps. Charles Rangel (D-N.Y.), Pete Stark (D-Calif.) John Dingell (D-Mich.) and Frank Pallone Jr. (D-N.J.).

On Oct. 20, Sebelius responded to Waxman and the additional congressmen, thanking them for their “views on this important matter,” and saying she is “committed to ensuring strong privacy and security protections.” Sebelius said she would include their letter with other public comments, but did not respond to their request to change or rescind a portion of the rule.

In their letter to Sebelius, the congressmen said HHS stretched the statute when it defined what constitutes a “breach” by improperly introducing the concept of “harm” to its definition.

According to the exact language of the stimulus law Congress passed in February, in the definitions section, it says: “The term 'breach' means the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”

The word “harm” was not part of the definition.

And yet, in its rule, HHS reported that “many commenters suggested that we add a harm threshold such that an unauthorized use or disclosure of protected health information is considered a breach only if the use or disclosure poses some harm to the individual.”

And so HHS rulemakers wrote into their rule, in the event of a breach, that it is up to the healthcare providers, researchers, data-miners and their business associates holding sensitive medical data to perform a risk assessment. And in that assessment, they are to determine the extent of the harm done to persons whose records had been breached. And in only those cases where harm is determined are they required by law to notify the affected patients.

Thus, according to the HHS definition, a breach “is considered a breach only if the use or disclosure poses some harm to the individual.”

Elsewhere, the HHS rule said the data holder, in making its calculation of harm, also can give more or less weight to the relative sensitivity of the data that was breached. “If the nature of the protected health information does not pose a significant risk of financial, reputational or other harm, then the violation is not a breach,” HHS added. In other words, according to HHS, when it comes to harm, not all breached data is equal.

Yet HHS provided no helpful definition of what might constitute harm, leaving that determination—and ample latitude—with the organization that committed the breach, not to the patient, who likely would remain unaware that a breach ever occurred.

Even within the executive branch, HHS went out on a limb with this reading of the law. The Federal Trade Commission, in drafting a companion rule under the stimulus law on breaches by vendors and business associates involved with consumer-oriented personal health-record systems, did not use a harm threshold.

The six congressmen took a rather dim view of HHS' creative interpretation of their work, not surprisingly, since 16 months earlier they had contemplated—and dropped—a harm threshold during their law-making process.

“In fact, during development towards a final policy,” the congressmen wrote, “the committee on Energy and Commerce released a discussion draft of health information technology and privacy legislation in May 2008.” That draft “included a harm standard that was later rejected.”

In contrast, the House members wrote, Congress opted for “legislation that has a black and white standard for notification” to “provide incentives for healthcare entities to protect data,” encourage the use of encryption “and to allow individuals to assess the level of unauthorized use or disclosure of their information.”

“Such transparency allows the consumer to judge the quality of a healthcare entity's privacy protection based on how many breaches occur, enabling them to choose entities with better privacy practices,” according to the letter. “Furthermore, a black and white standard makes implementation and enforcement simpler.”

Mixed opinions

The AHA, with some reservations, generally endorsed the HHS effort, “particularly HHS' recognition that the federal breach requirements necessitate an explicit risk of harm trigger for the notice obligations,” according to its six-page public comment letter by Executive Vice President Richard Pollack.

The AHA “strongly” urged HHS to keep the breach definition that includes the element of harm. The association also expressed content with an HHS clarification that patient notification wasn't required in cases involving unauthorized but “unintentional acquisition, access or use” of data made “in good faith and within the course of that employee's or individual's employment” provided the data is not further accessed or used.

The American Psychoanalytic Association, in its Oct. 23 public-comment letter written by Washington lawyer James Pyles, a partner in the law firm Powers Pyles Sutter & Verville, said HHS, by adding a harm threshold, “materially alters the statutory definition of breach.” Its interpretation not only is “contrary to the plain language of the statute” but also “would appear to be a classic case of ‘putting the fox in charge of the henhouse.” There is, Pyle wrote, “simply no authority” for such an exception. Federal agencies such as HHS “are not free to ‘modify' statutes passed by Congress.”

In addition, Pyles said, HHS overreached when it determined that contrary state laws will be pre-empted by its breach-notification regulation. That, too, “has no support” in the language of the stimulus law and “is contrary to the statutory language of HIPAA,” he said.